strongdm 1.0.0

data/examples/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gem 'strongdm'

data/examples/Gemfile.lock

@@ -0,0 +1,14 @@
+GEM
+  specs:
+    ipaddr (1.2.2)
+    openssl (2.1.2)
+      ipaddr
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  openssl
+
+BUNDLED WITH
+   1.17.2

data/examples/README.md

@@ -0,0 +1,5 @@
+Prior to running examples, run:
+
+```ShellSession
+$ bundler install
+```

data/examples/listUsers.rb

@@ -0,0 +1,21 @@
+# Copyright 2020 StrongDM Inc
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# 
+require "strongdm"
+
+client = SDM::Client.new(ENV['SDM_API_ACCESS_KEY'], ENV['SDM_API_SECRET_KEY'])
+users = client.accounts.list('')
+users.each { |user|
+	p user
+}

data/examples/panicButton.rb

@@ -0,0 +1,154 @@
+# Copyright 2020 StrongDM Inc
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# 
+# Copyright 2020 StrongDM Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "strongdm"
+require "OpenSSL"
+require "JSON"
+
+# panicButton.rb suspends all users except for one admin,
+# in the fake use case of a critical break in or something
+# usage:
+# ruby panicButton.rb adminuser@email.com
+# to revert back to pre-panic state:
+# ruby panicButton.rb revert
+def main
+    access_key = ENV["SDM_API_ACCESS_KEY"]
+    secret_key = ENV["SDM_API_SECRET_KEY"]
+    if access_key == nil or secret_key == nil
+        puts "SDM_API_ACCESS_KEY and SDM_API_SECRET_KEY must be provided"
+        return
+    end
+    client = SDM::Client.new(access_key, secret_key)
+
+    if ARGV.size == 1 and ARGV[0] == "revert"
+        state_file = File.open("state.json")
+        state = JSON.load(state_file)
+
+        reinstated_count = 0
+
+        users = client.accounts.list('')
+        users.each{ |user|
+            if user.suspended
+                reinstated_count += 1
+                user.suspended = false
+                client.accounts.update(user)
+            end
+        }
+        state["attachments"].each { |attachment|
+            begin
+                a = SDM::AccountAttachment.new()
+                a.account_id = attachment["account_id"]
+                a.role_id = attachment["role_id"]
+                client.account_attachments.create(a)
+            rescue SDM::AlreadyExistsError
+            rescue => ex
+                puts "skipping creation of attachment due to error: " + ex.to_s
+            end
+        }
+        state["grants"].each { |attachment|
+            begin
+                g = SDM::AccountGrant.new()
+                g.account_id = attachment["account_id"]
+                g.resource_id = attachment["resource_id"]
+                client.account_grants.create(g)
+            rescue SDM::AlreadyExistsError
+            rescue => ex
+                puts "skipping creation of grant due to error: " + ex.to_s
+            end
+        }
+
+        puts "reinstated " + reinstated_count.to_s + " users"
+        puts "recreated " + state["attachments"].size.to_s + " account attachments"
+        puts "recreated " + state["grants"].size.to_s + " account grants"
+
+        return
+    end
+
+    admin_email = ""
+    if ARGV.size == 1
+        admin_email = ARGV[0]
+    else
+        puts "please provide an admin email to preserve"
+        return 1
+    end
+
+    admin_user_id = ""
+    users = client.accounts.list("email:?", admin_email)
+    users.each{ |user|
+        admin_user_id = user.id
+    }
+
+    account_attachments = client.account_attachments.list('')
+    account_grants = client.account_grants.list('')
+
+    state = {
+        'attachments': account_attachments.map{|x|
+            if x.account_id != admin_user_id
+                out = {
+                    'account_id': x.account_id,
+                    'role_id': x.role_id,
+                }
+            end
+        }.reject{|x| x == nil},
+        'grants': account_grants.map{|x|
+            if x.account_id != admin_user_id and x.valid_until == nil
+                out = {
+                    'account_id': x.account_id,
+                    'resource_id': x.resource_id,
+                }
+            end
+        }.reject{|x| x == nil},
+    }
+
+    puts "storing " + state[:attachments].size.to_s + " account attachments in state"
+    puts "storing " + state[:grants].size.to_s + " account grants in state"
+
+    state_file = File.open("state.json", "w")
+    state_file.write(state.to_json)
+
+    suspended_count = 0
+    users = client.accounts.list('')
+    users.each{ |user|
+        if user.instance_of? SDM::User and user.email == admin_email
+            next
+        end
+        user.suspended = true
+        begin
+            client.accounts.update(user)
+            suspended_count += 1
+        rescue StandardError => ex
+            puts "skipping user " + user.id + " on account of error: " + ex.to_s
+        end
+    }
+
+    puts "suspended " + suspended_count.to_s + " users"
+
+end
+
+main()

data/lib/errors/errors.rb

@@ -0,0 +1,85 @@
+# Copyright 2020 StrongDM Inc
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# 
+# This file was generated by protogen. DO NOT EDIT.
+
+module SDM
+
+    # RPCError is a generic RPC error
+    class RPCError < StandardError
+        attr_reader :code
+        def initialize(msg, code)
+            @code = code
+            super(msg)
+        end
+    end
+
+    # DeadlineExceededError indicates an RPC call timed out
+    class DeadlineExceededError < RPCError
+        def initialize(msg)
+            super(msg, 4)
+        end
+    end
+
+    # AlreadyExistsError is used when an entity already exists in the system
+    class AlreadyExistsError < RPCError
+        def initialize(msg)
+            super(msg, 6)
+        end
+    end
+
+    # NotFoundError is used when an entity does not exist in the system
+    class NotFoundError < RPCError
+        def initialize(msg)
+            super(msg, 5)
+        end
+    end
+
+    # BadRequestError identifies a bad request sent by the client
+    class BadRequestError < RPCError
+        def initialize(msg)
+            super(msg, 3)
+        end
+    end
+
+    # AuthenticationError is used to specify an authentication failure condition
+    class AuthenticationError < RPCError
+        def initialize(msg)
+            super(msg, 16)
+        end
+    end
+
+    # PermissionError is used to specify a permissions violation
+    class PermissionError < RPCError
+        def initialize(msg)
+            super(msg, 7)
+        end
+    end
+
+    # InternalError is used to specify an internal system error
+    class InternalError < RPCError
+        def initialize(msg)
+            super(msg, 13)
+        end
+    end
+
+    # RateLimitError is used for rate limit excess condition
+    class RateLimitError < RPCError
+        attr_reader :rate_limit
+        def initialize(msg, rate_limit)
+            @rate_limit = rate_limit
+            super(msg, 8)
+        end
+    end
+end

data/lib/grpc/account_attachments_pb.rb

@@ -0,0 +1,84 @@
+# Copyright 2020 StrongDM Inc
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# 
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: account_attachments.proto
+
+require 'google/protobuf'
+
+require 'google/api/annotations_pb'
+require 'protoc-gen-swagger/options/annotations_pb'
+require 'options_pb'
+require 'spec_pb'
+Google::Protobuf::DescriptorPool.generated_pool.build do
+  add_file("account_attachments.proto", :syntax => :proto3) do
+    add_message "v1.AccountAttachmentCreateRequest" do
+      optional :meta, :message, 1, "v1.CreateRequestMetadata"
+      optional :account_attachment, :message, 2, "v1.AccountAttachment"
+      optional :options, :message, 3, "v1.AccountAttachmentCreateOptions"
+    end
+    add_message "v1.AccountAttachmentCreateOptions" do
+      optional :overwrite, :bool, 1
+    end
+    add_message "v1.AccountAttachmentCreateResponse" do
+      optional :meta, :message, 1, "v1.CreateResponseMetadata"
+      optional :account_attachment, :message, 2, "v1.AccountAttachment"
+      optional :rate_limit, :message, 3, "v1.RateLimitMetadata"
+    end
+    add_message "v1.AccountAttachmentGetRequest" do
+      optional :meta, :message, 1, "v1.GetRequestMetadata"
+      optional :id, :string, 2
+    end
+    add_message "v1.AccountAttachmentGetResponse" do
+      optional :meta, :message, 1, "v1.GetResponseMetadata"
+      optional :account_attachment, :message, 2, "v1.AccountAttachment"
+      optional :rate_limit, :message, 3, "v1.RateLimitMetadata"
+    end
+    add_message "v1.AccountAttachmentDeleteRequest" do
+      optional :meta, :message, 1, "v1.DeleteRequestMetadata"
+      optional :id, :string, 2
+    end
+    add_message "v1.AccountAttachmentDeleteResponse" do
+      optional :meta, :message, 1, "v1.DeleteResponseMetadata"
+      optional :rate_limit, :message, 2, "v1.RateLimitMetadata"
+    end
+    add_message "v1.AccountAttachmentListRequest" do
+      optional :meta, :message, 1, "v1.ListRequestMetadata"
+      optional :filter, :string, 2
+    end
+    add_message "v1.AccountAttachmentListResponse" do
+      optional :meta, :message, 1, "v1.ListResponseMetadata"
+      repeated :account_attachments, :message, 2, "v1.AccountAttachment"
+      optional :rate_limit, :message, 3, "v1.RateLimitMetadata"
+    end
+    add_message "v1.AccountAttachment" do
+      optional :id, :string, 1
+      optional :account_id, :string, 2
+      optional :role_id, :string, 3
+    end
+  end
+end
+
+module V1
+  AccountAttachmentCreateRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountAttachmentCreateRequest").msgclass
+  AccountAttachmentCreateOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountAttachmentCreateOptions").msgclass
+  AccountAttachmentCreateResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountAttachmentCreateResponse").msgclass
+  AccountAttachmentGetRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountAttachmentGetRequest").msgclass
+  AccountAttachmentGetResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountAttachmentGetResponse").msgclass
+  AccountAttachmentDeleteRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountAttachmentDeleteRequest").msgclass
+  AccountAttachmentDeleteResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountAttachmentDeleteResponse").msgclass
+  AccountAttachmentListRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountAttachmentListRequest").msgclass
+  AccountAttachmentListResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountAttachmentListResponse").msgclass
+  AccountAttachment = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountAttachment").msgclass
+end

data/lib/grpc/account_attachments_services_pb.rb

@@ -0,0 +1,44 @@
+# Copyright 2020 StrongDM Inc
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# 
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# Source: account_attachments.proto for package 'v1'
+
+require 'grpc'
+require 'account_attachments_pb'
+
+module V1
+  module AccountAttachments
+    # AccountAttachments assign an account to a role.
+    class Service
+
+      include GRPC::GenericService
+
+      self.marshal_class_method = :encode
+      self.unmarshal_class_method = :decode
+      self.service_name = 'v1.AccountAttachments'
+
+      # Create registers a new AccountAttachment.
+      rpc :Create, AccountAttachmentCreateRequest, AccountAttachmentCreateResponse
+      # Get reads one AccountAttachment by ID.
+      rpc :Get, AccountAttachmentGetRequest, AccountAttachmentGetResponse
+      # Delete removes a AccountAttachment by ID.
+      rpc :Delete, AccountAttachmentDeleteRequest, AccountAttachmentDeleteResponse
+      # List gets a list of AccountAttachments matching a given set of criteria.
+      rpc :List, AccountAttachmentListRequest, AccountAttachmentListResponse
+    end
+
+    Stub = Service.rpc_stub_class
+  end
+end

data/lib/grpc/account_grants_pb.rb

@@ -0,0 +1,82 @@
+# Copyright 2020 StrongDM Inc
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# 
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: account_grants.proto
+
+require 'google/protobuf'
+
+require 'google/api/annotations_pb'
+require 'protoc-gen-swagger/options/annotations_pb'
+require 'google/protobuf/timestamp_pb'
+require 'options_pb'
+require 'spec_pb'
+Google::Protobuf::DescriptorPool.generated_pool.build do
+  add_file("account_grants.proto", :syntax => :proto3) do
+    add_message "v1.AccountGrantCreateRequest" do
+      optional :meta, :message, 1, "v1.CreateRequestMetadata"
+      optional :account_grant, :message, 2, "v1.AccountGrant"
+    end
+    add_message "v1.AccountGrantCreateResponse" do
+      optional :meta, :message, 1, "v1.CreateResponseMetadata"
+      optional :account_grant, :message, 2, "v1.AccountGrant"
+      optional :rate_limit, :message, 3, "v1.RateLimitMetadata"
+    end
+    add_message "v1.AccountGrantGetRequest" do
+      optional :meta, :message, 1, "v1.GetRequestMetadata"
+      optional :id, :string, 2
+    end
+    add_message "v1.AccountGrantGetResponse" do
+      optional :meta, :message, 1, "v1.GetResponseMetadata"
+      optional :account_grant, :message, 2, "v1.AccountGrant"
+      optional :rate_limit, :message, 3, "v1.RateLimitMetadata"
+    end
+    add_message "v1.AccountGrantDeleteRequest" do
+      optional :meta, :message, 1, "v1.DeleteRequestMetadata"
+      optional :id, :string, 2
+    end
+    add_message "v1.AccountGrantDeleteResponse" do
+      optional :meta, :message, 1, "v1.DeleteResponseMetadata"
+      optional :rate_limit, :message, 2, "v1.RateLimitMetadata"
+    end
+    add_message "v1.AccountGrantListRequest" do
+      optional :meta, :message, 1, "v1.ListRequestMetadata"
+      optional :filter, :string, 2
+    end
+    add_message "v1.AccountGrantListResponse" do
+      optional :meta, :message, 1, "v1.ListResponseMetadata"
+      repeated :account_grants, :message, 2, "v1.AccountGrant"
+      optional :rate_limit, :message, 3, "v1.RateLimitMetadata"
+    end
+    add_message "v1.AccountGrant" do
+      optional :id, :string, 1
+      optional :resource_id, :string, 2
+      optional :account_id, :string, 3
+      optional :start_from, :message, 4, "google.protobuf.Timestamp"
+      optional :valid_until, :message, 5, "google.protobuf.Timestamp"
+    end
+  end
+end
+
+module V1
+  AccountGrantCreateRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountGrantCreateRequest").msgclass
+  AccountGrantCreateResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountGrantCreateResponse").msgclass
+  AccountGrantGetRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountGrantGetRequest").msgclass
+  AccountGrantGetResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountGrantGetResponse").msgclass
+  AccountGrantDeleteRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountGrantDeleteRequest").msgclass
+  AccountGrantDeleteResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountGrantDeleteResponse").msgclass
+  AccountGrantListRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountGrantListRequest").msgclass
+  AccountGrantListResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountGrantListResponse").msgclass
+  AccountGrant = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AccountGrant").msgclass
+end